The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Is one web programming language more secure than the others?

I am trying to understand this better.. your thoughts are greatly appreciated.
Is one web programming language more secure than the others? Now I know that brings us the question is one operating sytem more secure then others?

Well for example a strongly typed language vs a loosely typed language. In a loosely typed language (php) the language converts (automatically) the type of a variable to what is needed based on the context you use the variable. In a strongly typed language (.NET, Java) you have to explictly (do it yourself) convert the variable to the type needed.

So lets say that in your application you have myPage.php?id=1. anyone can do myPage.php?id=delete%20*%20from%20customers
in php, no error would occur. This could be a potential SQL injection attack. However if you tried something like that in Java or .NET, the page would throw an error, because delete%20*%20from%20customers is a string while it is looking for an integer (like 51)

WHat archigamer has said is true, but what he has failed to mention () is that specifically in PHP, (although I'm sure most loosely typed languages would have something like this) you as the programmer still can explicitly set a variable type. Example -

PHP Code:

$id = intval($_GET['id']);$id = (int)$_GET['id'];

In both of those methods, if anything other than an integer is passed in the URL as id, the variable $id will be set to 0.

Well for example a strongly typed language vs a loosely typed language. In a loosely typed language (php) the language converts (automatically) the type of a variable to what is needed based on the context you use the variable. In a strongly typed language (.NET, Java) you have to explictly (do it yourself) convert the variable to the type needed.

So .NET as a framework is going to change over 10 years of Visual Basic programming? Last I looked Visual Basic was a loosely typed programming languags.

Maybe some languages used in .NET such as C# and MSVC are strongly typed whereas others aren't... Let's not forget that .NET is not a programming language but a framework which can be utilized by any programming language. If it is anything like its predecessor (ASP), then it can be used in PHP and Perl even (both loosely typed languages).

Languages

As others have said, a language is only as secure as it is coded to be. Arguably, the more "features" (functions, libraries, classes, et cetera) a language has, the less secure it is, and the less functional it is. Additionally, languages that have been coded by many separate programmers with different styles is more prone toward security holes, since there's a higher potential for "chinks."

Whether a language is strongly or loosely typed is also a consideration. On the whole, strongly typed languages tend to be more secure, since a variable will only accept a given type of data. There are, of course, the odd pseudo-language, like Visual Basic, that can be either strongly or loosely typed.

Naturally, the OS also comes into consideration. But that's a whole other discussion, and I'd rather not start a flame war.

As for PHP, TBH I have never seen any PHP programmer actually check types. Yes its available, but i havent seen it used in real world php

That's the fault of the programmer then, not so much PHP. ASP suffers from the same problem. Honestly, it's not too difficult to implement regular expression-based validation in either language (which is what I do for both ASP and PHP).

Personally I wouldn't necessarily check for type in PHP and no apologies! I think it makes a lot more sense to directly check for validity.

For example, why check that an email address is a string when it matches a regular expression that verifies that it is an email address (and by extension a string)?

In this scenario: myPage.php?id=1
... why check to see if "1" is an integer when you can just about as easily see if 1 is a valid id? Casting to integer presents the risk of casting an injection to zero and then doing some undesired stuff with that zero (which is a valid integer). Checking to ensure that whatever is valid also gives you the chance to produce a decent error message, rather than some technical language spat error that might even give an attacker some idea of how your application works.

You definitely should know about and be prepared for the possibility of SQL injection, but type is not enough. The basic premiss is that if someone can inject their way into destroying info or gaining access to privileged data then your queries are allowing too much from their user entered portion. Slap some more WHERE on that clause!

SELECT articleText FROM articles, privs WHERE articles.ID=privs.ID AND privs.user='joeBrowser' AND articles.ID=[USER ENTERED]

Alter the user entered portion all you like, the privileges will stop you from getting anywhere you aren't allowed. (hope that query is clear and correct, it was off the top of my head)

Anyway, point is, checking by type alone is weak, just about any user input can benefit from some stronger validity checking. PHP and .Net have some great ways to do this as do most other languages.

Using your unpaid time to add free content to SitePoint Pty Ltd's portfolio?

While I agree with you that strong typing offers little in the way of real security, but you are wrong about the ID thingy - strong typing helps in that case.

In this scenario: myPage.php?id=1
... why check to see if "1" is an integer when you can just about as easily see if 1 is a valid id?

Because you have to do a query to the database with that "1" in it at some point. With a PHP, you most certainly have to check that that "1" is indeed an integer before letting it into your database. With strong typing, this extra step is not necessary.

Bottom line, while strong typing helps security only little, it does have some benefits.

I agree that an application is only as secure as the programmer makes it to be, but out of the box, .NET is definetly more secure out of the box than PHP is.

1. Register Globals
When you post from a form in PHP, the variables become availiable as normal variables, posing a great security risk. The first thing the more experienced PHP developer does is to disable this in his script (as it is never disabled on shared servers, to support legacy apps). Unfortunately, because PHP is so easy to pick up, a lot of developers happens to be not-so experienced, and make these simple (but fatal) mistakes very often.

2. .NET does not allow "dangerous" data like HTML to be posted to a page unless you spcifically allow it. Simple thing, but stops a lot of security problems.

Now, with that said, a more experienced developer can easily fix these problems. Most security problems are actually very easy to fix - it's discovering them that is the hard part.

Because you have to do a query to the database with that "1" in it at some point.

I do agree with this but I also think that a properly formatted query can accept a wide range of input. However, I suppose that you may as well know that your user input that you expect to be an integer is an integer, one way or another so I guess I agree with you that far.

You are correct that PHP does not railroad you into using htmlspecialchars as .Net apparently does (with some .Net form of htmlspecialchars). But I'm sure you know htmlspecialchars is there and so do most people who will make anything of consequence with PHP.

And yeah, what's up with mentioning register globals? That's like a 2-3 years ago problem... plus, I think that Microsoft has had some dirty laundry in the time period too (like the passport.Net leak, maybe?).

Last edited by samsm; Dec 1, 2003 at 01:38.

Using your unpaid time to add free content to SitePoint Pty Ltd's portfolio?

[QUOTE=samsm]I do agree with this but I also think that a properly formatted query can accept a wide range of input. However, I suppose that you may as well know that your user input that you expect to be an integer is an integer, one way or another so I guess I agree with you that far.

You are correct that PHP does not railroad you into using htmlspecialchars as .Net apparently does (with some .Net form of htmlspecialchars). But I'm sure you know htmlspecialchars is there and so do most people who will make anything of consequence with PHP.

No, .NET doesn't railroad you into using any equvalient of htmlspecialchars(). What it does is to simply disallow posting of pure HTML data wihout you specifically setting that page to allow it (by a statement in the top of the page). After that, it allows you to post pure HTML data just fine. It's a small thing, but very convinient, and prevents a lot of leaks.

And yeah, what's up with mentioning register globals? That's like a 2-3 years ago problem...

No it's not - many hosts leave it on per default.

plus, I think that Microsoft has had some dirty laundry in the time period too (like the passport.Net leak, maybe?).

I'm not sure what this has to do with anything. Passport has very, very little to do with the .NET framework.

Ok. First of all, this is insane:
SELECT * FROM customer WHERE customer_ID=$_GET_ID['ID'];
You could enter integers at random via get requests and get any of a variety of customer IDs. Obvious security problem and not one directly linked to type checking.

Obviously, you need to be a step more intricate.
SELECT #* FROM customer WHERE customerID=loginID AND loginID = loginTable.loginID AND loginTable.password=" . addslashes($_SESSION['pass']) . ";

How, i ask you, how do you beat that? Throw type checking aside, that is not going to help you. You can't get to that data without the correct password, regardless of what type that password was or what ever other crap you've attempted to throw at the application in question. It's impossible. You're shut out.

Originally Posted by M. Johansson

No it's [(register globals)] not - many hosts leave it on per default.

Fair enough. Are some MSSQL hosts still vulnerable to slammer? Seriously, I'm going out on a limb and guessing that for every old security problem uncorrected in LAMP hosts, there is a problem uncorrected in IIS hosts.

Originally Posted by M. Johansson

I'm not sure what this has to do with anything. Passport has very, very little to do with the .NET framework.

It has everything to do with the framework. The whole concept of the framework is that one element relies upon another and you can rely upon each element to preform its function. Without that reliance, you might as well write the whole thing yourself. If you rely upon passport to manage your user log-ins (as Microsoft promotes) and passport is vulnerable, then your whole system is vulnerable. edit: decided to remove the REALLY idiotic part of this paragraph

Look, I'm really not out to demonize .Net, I think it's fine. But please, PHP has issues, .Net has issues, everything else has issues too. There's no real security bias to speak of in the major players that can be resolved with a two to eight hour chat. We're talking about no major benefit in comparison to drawbacks and there really aren't any. Sure mention type checking, that's fine, but I don't know how a PHP developer could possibly develop anything of consequence without knowing about those issues in this day and age.

Last edited by samsm; Dec 2, 2003 at 08:53.

Using your unpaid time to add free content to SitePoint Pty Ltd's portfolio?

You can't get to that data without the correct password, regardless of what type that password was or what ever other crap you've attempted to throw at the application in question.

if you are on a part of the site you dont log in to or your site does not have membership, your back to square one. While I agree that is more secure before, my original point was not taking logging in into account.

In this, you are exposing "whatever" to unrestricted selects. In the articleID=whatever scenario, that's probably not a big deal, assuming all the articles in "whatever" are fit to be seen.

However, try as you may, there is nothing you can tack on the query above to access data from other tables or alter data in any table. That is, assuming that you are accessing the database with a function like mysql_query which only allows one query at a time (so tagging a second, destructive query on the end is out).

Using your unpaid time to add free content to SitePoint Pty Ltd's portfolio?

Fair enough. Are some MSSQL hosts still vulnerable to slammer? Seriously, I'm going out on a limb and guessing that for every old security problem uncorrected in LAMP hosts, there is a problem uncorrected in IIS hosts.

You are talking about it as something that can be fixed with a patch or something - it's not. The hosts that enable register globals are not bad hosts - they have to do that by default to support legacy applications. I do not know of a security problem of this nature or magnitude for .NET, but I'd love for anyone to prove me wrong. I won't comment on IIS or MSSQL vulnerabilities on hosts, as that would just be complete speculation - suffice to say that bad hosts will be bad hosts, and good hosts will be patched.

It has everything to do with the framework. The whole concept of the framework is that one element relies upon another and you can rely upon each element to preform its function. Without that reliance, you might as well write the whole thing yourself. If you rely upon passport to manage your user log-ins (as Microsoft promotes) and passport is vulnerable, then your whole system is vulnerable. edit: decided to remove the REALLY idiotic part of this paragraph

No, Passport has incredibly little to do with .NET. Very, very few .NET sites use Passport. Passport is a web service provided by Microsoft for the fee of US$10 000 per year. It's only meant for very large applications, and Microsoft does not actively market it to the average site.

Look, I'm really not out to demonize .Net, I think it's fine. But please, PHP has issues, .Net has issues, everything else has issues too.

Of course. I was merely adressing the original question if one web programming language was more secure than the other by pointing out that .NET is more secure out of the box, which is true. They are not major, and can easily be worked around by a reasonably experienced developer, but they were relevant to the question of the thread starter.

Sure mention type checking, that's fine, but I don't know how a PHP developer could possibly develop anything of consequence without knowing about those issues in this day and age.

I probably shouldn't say this, but I had developed several PHP sites for clients before I ever heard the term SQL Injection Attack or the register globals problem. You learn how to develop sites with PHP very fast. You also learn how to secure your web sites very fast - just not quite as fast.

You know what? I was going to use the fact that most PHP posters here are on hosts with register globals off, but I'm typing a response for another thread right now where someone has clearly written an application with register globals on. So perhaps register globals isn't as dead as I thought.

Actually, you are probably right about .Net being used more securely, too. In addition to whatever is in the framework itself, the very fact that it is more difficult makes the people who use it a different caliber which means it is more likely to be used securely.

Using your unpaid time to add free content to SitePoint Pty Ltd's portfolio?

Actually, you are probably right about .Net being used more securely, too. In addition to whatever is in the framework itself, the very fact that it is more difficult makes the people who use it a different caliber which means it is more likely to be used securely.

You know, one guy I talked to a while back had a theory that since Windows has so many security issues, that breeds a high quality on the security practices of Windows Hosts. I'm not sure if that's correct or not, but CrystalTech handled the Slammer worm DAMN well.